File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
Win a copy of Clojure in Action this week in the Clojure forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

Where to store the user credentials in an enterprise application(EAI)

Arnav Velimala
Ranch Hand
Posts: 37
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
We are developing a Event Notification Service. The application at a high level looks like below:

Our developene scope involves widget and the ENS.

"ENS" acts as a central point of collection for certain types of events that are of interest to users. Any user who wants to know when these types of events occur registers with ENS, which identifies events in order and matches notifications with subscriptions.

The user who wants to subscibe should be a valid user of the intergrated application(db, sap system etc)

The sequence of events:

ENS are the web-services.

ENS polls the SAP(and other applications) and this is where the problem is becoming more complex. In SAP there is data-level authorization. So not all users are allowed to see all the events/data.

If the SAP has PUSHed the data, along with the User info who has authorized to see, then no issues at all.

Case 1: Scheduler is initiated by the ENS

1. User subscribes to a subscription. At the time of subscription, user is checked for his authorization in the SAP system. If OK, then he will be allowed for Subscription.
2. The scheduler runs at the scheduled time.
3. The scheduler identifies the users who are subscribed.
4. The scheduler uses the stored credentials of the users(stroed in ENS) to POLL if the event occured.
5. Notify users if there are changes.

Disadvs here:

* User credentials are stored somewhere external - Security team might not accept it
* Reduntant hits if more than one user is subscribed for the same piece of information

Case 2: Scheduler is intitated by the WIDGET. User creds will be stored in the users local machine only. Diadv:

* If the subscription is daily, and if the user system/widget is not up. The user might miss the notifications that happened on say, weekends.
* Reduntant hits to the server if more than one user is subscribed for the same piece of information.

my question/doubts:

What is the best pracitces in storing the Users db, sap etc credentials.

How often should the user be authenticated? Should be everytime the messages are delivered?(if I use this strategy, it will affect the source system)

Jan Cumps
Posts: 2577
C++ Linux Netbeans IDE
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I have moved this question to our Security forum.
Although it fits in several of our forums, this is the one where you can get the safest and most secure advise.
I agree. Here's the link:
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic